ASP.NET 的安全隐患
asp.net存在安全隐患,即攻击者可以利用潜在的canonicalization攻击webserver
(即利用 ..\.. 欺骗 IIS,从而遍历目录),建议在Global.asax.cs中加入如下代码提高安全性:
<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
throw new HttpException(404, "not found");
}
}
</script>
(即利用 ..\.. 欺骗 IIS,从而遍历目录),建议在Global.asax.cs中加入如下代码提高安全性:
<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
throw new HttpException(404, "not found");
}
}
</script>
